InfluxDB - Hardened Self-Hosted Time Series Database

What is InfluxDB

InfluxDB is an open-source time series database purpose-built for high write and query loads on timestamped data - infrastructure and application metrics, application events, IoT and sensor telemetry, and real-time analytics. This image ships the 2.x line (MIT-licensed): a single Go server (influxd) with a built-in web UI, a token-authenticated HTTP API on port 8086, and two query languages - Flux and InfluxQL. Features include unbounded retention policies, downsampling tasks, dashboards, alerting checks, and the line-protocol write API compatible with Telegraf and the broad InfluxData client ecosystem (Go, Python, JavaScript, Java and more). Data persists to a local bolt metadata store and TSM storage engine under a dedicated data directory. This is the self-hosted 2.x edition, distinct from the managed cloud service and from the separately-licensed 3.x line.

Why self-host InfluxDB

Running InfluxDB on a VM you control keeps every metric and event - which often reveals infrastructure topology, traffic patterns, capacity and user behaviour - inside your own tenant rather than a third-party service. Self-hosting suits teams with data residency requirements, organisations operating under GDPR or ISO 27001, and any architecture where a long-retention time series store must sit next to the workloads it monitors with no per-sample fees. The 2.x line is MIT-licensed, fully auditable, with no vendor lock-in.

What this VM image adds

Security hardening:

• Native TLS on port 8086 - a per-instance self-signed certificate is generated at first boot (no shared key baked into the image); swap in your own CA certificate anytime
• Admin user, password and all-access operator token at first boot - created non-interactively and written to /root/influxdb-credentials.txt (readable only by root)
• Token / login authentication enforced - the HTTP API and web UI refuse unauthenticated calls
• Usage telemetry disabled - no phone-home to the upstream telemetry endpoint
• UFW firewall - SSH on 22 and InfluxDB on 8086 only; Azure IMDS and WireServer egress pre-configured
• fail2ban - SSH brute-force protection
• AppArmor - mandatory access control
• CVE scan - every image is scanned with Trivy before release

OS hardening (CIS Level 1):

• CIS Ubuntu 24.04 LTS Level 1 Benchmark via ansible-lockdown
• auditd for system call auditing of critical paths
• SSH hardening - PasswordAuthentication disabled, key-only access, PermitRootLogin no, LoginGraceTime 60
• Kernel hardening - SYN cookies, ASLR, rp_filter, kexec disabled, IPv6 off
• /tmp as tmpfs with nosuid, nodev, noexec

Compliance artifacts (inside the VM):

• SBOM - CycloneDX 1.6 at /etc/lynxroute/sbom.json with InfluxDB pinned by version, PURL, MIT license, supplier, and SHA-256 hash
• CIS Conformance Report at /etc/lynxroute/cis-report.html (OpenSCAP, Azure tailoring profile, 0 FAIL rules)
• Tailored CIS profile at /usr/share/doc/lynxroute/CIS_TAILORED_PROFILE.md
• Credentials file at /root/influxdb-credentials.txt with the admin user, password, organization, bucket and the all-access operator token

Quick Start

1. Deploy VM from Azure Marketplace (Standard_D2s_v3 recommended)
2. SSH: ssh -i key.pem azureuser@<PUBLIC_IP>, then sudo cat /root/influxdb-credentials.txt for the admin password and operator token
3. Open NSG: TCP 8086 from your trusted sources, TCP 22 from your management IPs only
4. Open https://<PUBLIC_IP>:8086/ in your browser, accept the self-signed certificate warning, and log in with the admin user and password
5. Or call the API/CLI with the operator token, e.g. curl -k -H "Authorization: Token <TOKEN>" https://<PUBLIC_IP>:8086/api/v2/buckets; write data with the line protocol or Telegraf

InfluxDB serves its API and built-in web UI over HTTPS on port 8086 with a per-instance self-signed certificate. For production, replace it with a CA-signed certificate (copy your cert and key to /etc/influxdb/tls/ and restart the service) and restrict NSG port 8086 to trusted sources.